Possible Rootkit- please help

[Birdman77]

Hi, this is my first dealing with a rootkit alert; I have prevx installed and it says one of my music files that is several months old might contain a rootkit. How would I know if it really is a bad rootkit or one of the legal ones out there or if it's just a false positive? I've tried posting this message with the file attached but it won't post it for some reason. Oh yes, I also scanned the rest of my system and all else is clean.

here is what Gmer found:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2008-12-23 08:47:52
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1712] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [A11DE912] DLAIFS_M.SYS

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

---- EOF - GMER 1.0.12 ----

Not sure if those are actual rootkits or not so hopefully you can help with that.

but TrendMicro's Rootblaster didn't find anything.

Ok in the mean time I've also used the BlackLight rootkit scanner & also panda's rootkit scanner and both came back with zero rootkits.

Any help would be appreciated; thank you.
Mike

[Birdman77]

ok well Prevx got back to me and it seems the music file was a false positive. Are the files that Gmer found also false positives? I sure hope so.

[chaslang]

Welcome to Major Geeks!

Quote:

Originally Posted by Birdman77

Are the files that Gmer found also false positives? I sure hope so.

Well it did not really tell you they were problems anyway. The first is not a problem. DLAIFS_M.SYS is a Drive Letter Access Component from Sonic Solutions which is software you have on your PC for you CD/DVD drive.

However the ADS detection (ADS = Alternate Data Stream) is not normal. And you really should do a check on your PC to determine if any malware is the cause of this. I recommed that you work thru the below.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.



READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.

• Do not assume that because one step does not work that they all will not.

Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

[Birdman77]

Thank you very much; yea after I did some searching I found that was a file for my sonic drive; but figured I'd leave it up there just in case; wsn't sure if it could become infected or not. Ok I ran all the stuff you told me to and am attaching the log files here. I couldn't use the spybot search & destroy though due to it being incompatible with my Trend Micro Pc-Cillin program. the others I used though. Fingers crossed everything is clean.mbam-log-2008-12-26 (09-21-50).txt

SUPERAntiSpyware Scan Log - 12-26-2008 - 09-11-17.log

ComboFix.txt

[Birdman77]

And here is the MGlog fileMGlogs.zip

thank you for your help.
Mike

[Birdman77]

one thing that is strange though; after I ran all these tests; i was wanting to check "msconfig" so i typed it into the "run" window & it told me it couldn't be found. Also, I restarted the pc and it went to the window asking how I wanted to boot the operating system before it'd start up as normal so I had to do a system restore to yday grrr. Any ideas?

[Birdman77]

ok now this is annoying; now prevxcsi found this file - is it also a false positive?
it's in C: Windows:system32:swreg.exe

which I found is some sort of reg editor from SteelWerX.

[chaslang]

Quote:

Originally Posted by Birdman77

one thing that is strange though; after I ran all these tests; i was wanting to check "msconfig" so i typed it into the "run" window & it told me it couldn't be found.

We would be fixing that for you. I believe it is a recent bug in ComboFix.

Quote:

Originally Posted by Birdman77

Also, I restarted the pc and it went to the window asking how I wanted to boot the operating system before it'd start up as normal so I had to do a system restore to yday grrr. Any ideas?

This was probably not an issue. It was just due to installing the Windows Recovery Console which gives you a choice on how you want to boot. If you hit no keys, it usually bypasses this screen within a few seconds. Doing a system restore makes all of the scans you did basically worthless since you may have undone anything that the scans fixed. But your scans may not have found any problems anyway since they are all clean.

You did not install the version of SUPERAntiSpyware given in the READ & RUN ME. You are way out of date. You need to uninstall what you have, and then download, install, and update the version given in the link in the READ & RUN ME.


You do have a couple things to do.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

After clicking Fix, exit HJT.

Now run Ccleaner!


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

[chaslang]

Quote:

Originally Posted by Birdman77

ok now this is annoying; now prevxcsi found this file - is it also a false positive?
it's in C: Windows:system32:swreg.exe

which I found is some sort of reg editor from SteelWerX.

False postive. PrevX has a lot of false positive issues. I suggest not using it.

[Birdman77]

ok I'm sorry I didn't remove that viewpoint player before hand; I must have not seen that step in the Read Me section. I did as you requested and here are the 2 logs you wanted; one thing though- I didn't get this to come up- This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

After clicking Fix, exit HJT.

I ran the MGtool but I didn't see anything come up regarding the hijackthis so I went in and opened it myself & when it scanned my pc it didn't list the "O4-HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.ex" so I left that alone just in case; I will do the CCleaner right now.

I did remove the prevx program as you suggested & I can't say I'm sad to see it go considering it scared me twice now this week.

Would you also take a look at this screen shot please & tell me which folders & files I can safely remove; I don't want to do anything that'll screw my system up; thank you very much for your help.

MGlogs.zip

SUPERAntiSpyware Scan Log - 12-28-2008 - 07-47-26.log

Image1.jpg

[chaslang]

Your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
7. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

[Birdman77]

thank you so much for your help; I really appreciate it & i've done all you told me to do Have a great new year.

[chaslang]

You're welcome. Surf safely!